httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Kraemer <Martin.Krae...@mch.sni.de>
Subject Re: [PATCH] fix pcfg_openfile() (was: mod_auth-any/1672: Authentication / .htaccess DoS attack)
Date Thu, 15 Jan 1998 18:06:59 GMT
On Thu, Jan 15, 1998 at 12:12:36PM +0100, Martin Kraemer wrote:
> +    if (name == NULL) {
> +	aplog_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, NULL,
> +		    "Internal error: pcfg_openfile() called with NULL filename");
> +	/*assert(name != NULL);*/

Forget my patch. I just realized that someone mis-used the pcfg_openfile()
interface (instead of using the pcfg_open_custom() which was implemented
to deal with non-file based "custom" interfaces) to read the -c/-C
configure lines.

That's not good! And it leaves (as implemented) an uninitialized FILE*file
pointer in the returned configfile_t structure -- which isn't good either!

So do NOT use the patch - instead wait until I had a look at it and
maybe changed the memory-based cfg reading to use pcfg_open_custom(),
or at least *DOCUMENT* the inappropriate interface mis-use and
*INITIALIZE* a pointer if it is used further on.

    Martin
-- 
| S I E M E N S |  <Martin.Kraemer@mch.sni.de>  |      Siemens Nixdorf
| ------------- |   Voice: +49-89-636-46021     |  Informationssysteme AG
| N I X D O R F |   FAX:   +49-89-636-44994     |   81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request

Mime
View raw message